Welcome to these forums!
If you are already running VSE v8.8 on the server, unless you are specifically excluding the upload directory, the On-Access Scanner (OAS) should already be checking the files uploaded. Running the Stinger or the Command Line Scanner (CLS), is a duplicate scan, which I would assume have limited value. I guess you could be checking the uploaded files using a different scanning rules than the OAS rules.
If running VSE, Make Sure: 'Scan on Read' is checked in addition to 'Scan on Write' as many newer forms of malware can avoid detection if only scanning on Writes to disk.
If you are using a differenet real-time active AV package, and you are using the command line process as a second check, be careful to avoid deadlocks between the two packages. (Upon upload, any real-time scan by whatever AV package may lock files during it's scan, which if the file is then checked by CLS or Stinger, can cause a deadlock. This would be bad, particularly on a server.)
Secondary scans of files uploaded can also be done by calling Scan32.exe as well. This should eliminate potential deadlocks but limit Exit ErrorLevel codes to tell what happened on any given file. See the Best Practices Guide to VirusScan Enterprise for more details.
Hopefully this is helpful.
Hi Guys ,
Thanks for all your help
Good direction by Ron Metzger
I am looking for VirusScan Enterprise
I have just overviewed Best Practices Guide to VirusScan Enterprise
I read that both option of When writing to disk and When reading from disk are enabled default.
Even though i have enabled On-Access Scanner (OAS) on uploaded directory
Just wanted to know as security measure is it sufficient ?
If this was case why many organisation like Yahoo , Google do on uplaod scan of email attachments ?
Thanks and Regards ,
Andy Ross is correct in testing using EICAR as a safe, effective way to ensure your Real-time scanner is working.
To make the test EICAR file for yourself:
1) Turn OFF any Real-Time scanner. In VSE this would be the On-Access Scanner.
2) Copy and paste the next line into a file, suchas EICAR.TXT
Note: The EICAR file is an Industry-wide and accepted file that is used for this purpose that is Safe and NOT a real Virus.
3) copy /b EICAR.TXT EICAR.EXE
4) Create a .Zip file (using your favorite archiver program) copying EICAR.TXT and EICAR.EXE to an archive, suchas: EICAR.ZIP
5) Repeat the .zip file creation again, but password protect the archive with a password which you will remember, suchas: EICAR-PW.ZIP
6) Copy these files to a USB Flash Drive (or other simple to isolate drive store). Make as many copies of this group of files as you think you might need, on isolated storage, as successful 'tests' will delete files upon detection.
7) Finally, re-enable your Real-time AV scanner.
Now, you should have several files inwhich you can test the real-time scanners ability to catch EICAR.
FTP it, or copy it, etc. to whatever Upload directory you have. Test away.
This would be a good time to see if files get locked by one scanner or the other, and what happens when the second scan attempts to do it's thing.
Also, note how the copy of the password protected archive will most likely not get detected.
This is by no means an exhaustive test, but should highlight problems in detection and cleanup when things are 'working normally.'